Merge pull request #13655 from keithhacks/escape-notification-contact-names
(Security) HTML-escape notification contact names
This commit is contained in:
commit
676ce83dab
1 changed files with 1 additions and 1 deletions
|
@ -134,6 +134,6 @@ class Notify extends BaseEntity
|
|||
*/
|
||||
public static function formatMessage(string $name, string $message): string
|
||||
{
|
||||
return str_replace('{0}', '<span class="contactname">' . BBCode::toPlaintext($name, false) . '</span>', htmlspecialchars($message));
|
||||
return str_replace('{0}', '<span class="contactname">' . htmlspecialchars(BBCode::toPlaintext($name, false)) . '</span>', htmlspecialchars($message));
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue